The White House wants a more open Vulnerabilities Equities Process and has unveiled a new VEP Charter in order to promote transparency in bug reviews.

The White House wants more transparency in how federal agencies determine whether or not to disclose software vulnerabilities, but there are early questions regarding how it might work.

The Vulnerabilities Equities Process (VEP) was designed to organize how federal agencies would review vulnerabilities and decide if a flaw should be kept secret for use in intelligence or law enforcement operations, or if it should be disclosed to vendors. The new VEP Charter, announced by Rob Joyce, special assistant to the president and cybersecurity coordinator for the National Security Council, aims to ensure the government conducts "the VEP in a manner that can withstand a high degree of scrutiny and oversight from the citizens it serves."

"I believe that conducting this risk/benefit analysis is a vital responsibility of the Federal Government," Joyce wrote in a public statement. "Although I don't believe withholding all vulnerabilities for operations is a responsible position, we see many nations choose it. I also know of no nation that has chosen to disclose every vulnerability it discovers."

Joyce laid out the "key tenets" of the new VEP Charter, including increased transparency and an annual report, improved standardization of the process regarding the interests of various stakeholders and increased accountability.

"We make it clear that departments and agencies with protective missions participate in VEP discussions, as well as other departments and agencies that have broader equities, like the Department of State and the Department of Commerce. We also clarify what categories of vulnerabilities are submitted to the process and ensure that any decision not to disclose a vulnerability will be reevaluated regularly," Joyce wrote.

"There are still important reasons to keep many of the specific vulnerabilities evaluated in the process classified, but we will release an annual report that provides metrics about the process to further inform the public about the VEP and its outcomes."

Questions about the VEP Charter

The VEP has previously been criticized by experts for being optional, rather than being codified into law. But the VEP Charter does not include language that makes the process a requirement, nor does it acknowledge the PATCH Act, a bill proposed in Congress that would enforce a framework for using the VEP.

Heather West, senior policy manager and Americas principal at Mozilla, noted in a blog post that "many of the goals of the PATCH Act [are] covered in this process release, [but] our overarching goal in codifying the VEP in law to ensure compliance and permanence cannot be met by unilateral executive action."

Early readings of the VEP Charter have revealed what some consider a conflict of interest: The National Security Agency (NSA) is designated as the VEP Executive Secretariat, with the responsibility to "facilitate information flow, discussions, determinations, documentation, and recordkeeping for the process."

However, the VEP Charter also stated that any flaw found in NSA-certified equipment or systems should be "reported to NSA as soon as practical. NSA will assume responsibility for this vulnerability and submit it formally through the VEP Executive Secretariat."

Additionally, some have taken issue with the following clause in the VEP Charter: "The [U.S. government's] decision to disclose or restrict vulnerability information could be subject to restrictions by foreign or private sector partners of the USG, such as Non-Disclosure Agreements, Memoranda of Understanding, or other agreements that constrain USG options for disclosing vulnerability information."

Edward Snowden said on Twitter that this could be considered an "enormous loophole permitting digital arms brokers to exempt critical flaws in U.S. infrastructure from disclosure" by using a nondisclosure agreement.

The percentage of vulnerabilites the government discloses to vendors is largely PR: The public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones. We need to know the severity of disclosed vulnerabilities, not just the number.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.